It's HTTPS or bust: How to secure your website

You no longer have a choice about locking down your website. Google will mark all non-HTTPS sites as insecure this July. It's time to lock your site down, and Let's Encrypt gives you a free and easy way to do it.

To secure your website, you must install an X.509 Digital Certificate, generically called an SSL certificate, on your server. A trusted third party, called a Certificate Authority (CA), guarantees the Digital Certificate's authenticity with a Digital Signature, so your visitors can be sure they are where they thought they were going.

There are many CAs. Some of the best commercial ones are Network Solutions, Entrust, and Symantec. Prices for certificates from a major provider range from $50 to $500. You can also get a free certificate -- that's every bit of good for most purposes -- from the non-profit Internet Security Research Group (ISRG)'s Let's Encrypt. The big business difference between the commercial CAs and Let's Encrypt is that commercial businesses back up their security with a warranty of between $500,000 and $1 million. With Let's Encrypt, you're on your own.

Web Security Certificate Types

Before deploying any certificate you must know there are three different SSL certificate types. These are, in order of business capability: Domain Validation (DV) SSL Certificates, Organization Validation (OV) SSL Certificates, and Extended Validation (EV) SSL Certificates.

These certificates vary with how much encryption they use. While you can find discount certificates with 256-bit encryption, for real-world purposes, you need at least a 2048-bit certificate.

Domain Validation

In the past, a DV was often, but not always, a self-signed certificate. Now, thanks largely to Let's Encrypt, DV certificates commonly come from a CA. Censys.io records over 300 million DV certs and 63 million self-signed certs, so the scale has definitely tipped.

DVs are also offered by some CAs, such as GeoTrust and RapidSSL. All a DV means is that the site has been registered by someone with admin rights to the site. If the certificate is valid and signed by a trusted CA, a web browser connecting to the site will inform you that it has successfully secured an HTTPS connection. You can use a DV to secure a simple website.

Organization Validation

An OV validates the domain ownership and includes ownership information like the site owner's name, city, state, and country. This is the minimum certification level for a commercial website. This middle-tier of certificates is seldom used.

Extended Validation

For a serious website, your best choice is an EV SSL certificate. These legally validate the domain's owners. Depending on the CA, it can take weeks to get one, so it's past time to start the processing of getting one. Sites with a SV SSL certification have a green address bar in most browsers.

The first two certifications come in two flavors. The first is the inexpensive single domain certificate. As the name suggests, it protects a single website. Its brother, the wildcard certificate, protects multiple sub-domains.

EV certificates are always a single-domain certificate. If you need to cover multiple sub-domains with EV certificates, you can often get a volume discount, but you can't get a wildcard that will cover all your sub-domains.

Let's Encrypt

The easiest and cheapest way to get a certificate is to use Let's Encrypt with its DV certificates. Let's Encrypt is a free, automated, and open security certificate authority (CA) for everyone. It does not offer, nor will it ever offer, OV or EV certificates. Still, if you're not doing e-commerce from within your site, a Let's Encrypt DC may be all you need.

Prove: Automatically prove to the Let's Encrypt Certificate Authority (CA) that you control the website.

Obtain a browser-trusted certificate and set it up on your web server.

Keep track of when your certificate will expire, and automatically renew it. Since the service's certifications automatically expire every 90 days, you must renew the certificate frequently. To make sure, you're never caught short, you should automatically renew it every 60 days.

Help you revoke the certificate if that ever becomes necessary.

If you're running an e-commerce site, use an EV SSL certificate from a well-regarded CA. To find the right commercial certificate for you, check out SSL Shopper's recommendations. For the rest of us, a Let's Encrypt certificate should work just fine.

To get started with Let's Encrypt, first update your server operating system and web server, and then download and install Let's Encrypt. If you're using a hosting site for your web server, use its in-house instructions or services.

If you're running your own web server on Linux, the easiest way to do this is with Certbot. This site provides detailed instructions for the most popular Linux server distributions and for the following web server programs: Apache, NGINX, Haproxy, and Plesk. If you're running on Microsoft Azure, you can use the GetSSL - Azure Automation PowerShell script. Still running your web server on Windows Server? Then, check out ACMESharp, which uses .NET and PowerShell.

Let's Encrypt will add wildcard certificates at the end of February 2018. However, you can still cover all your site's subdomains -- e.g. mail.example.com, www.example.com, preproduction.example.com -- by requesting a certificate using Subject Alternative Names (SAN).

So, what are you waiting for? Get on with securing your site, whether with Let's Encrypt or an EV from an established CA. If you don't, you'll be in a world of hurt this summer when people stop coming to your site because it's insecure.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.